Risk Assessment in a nutshell

This is a check list not a definitive list, but may help as a template in forming risk assessments and disaster recovery needs.

WHAT LEVEL OF DISASTER PLANNING IS NEEDED?A few minutes consideration? A day of planning? A plan with regular thorough testing?Is internal planning adequate or is a specialist third party needed?What locations need consideration: Main office, Second offices, Homes?Contingencies if our systems and office are not accessible for 1/2 day, 1 day, 3 days, 1 week, 1 month?

PEOPLEKnown and tested evacuation plan?Adequate First Aid equipment and training?

OFFICE SYSTEMSWhat does the IT support contract say - if key equipment fails or disaster recovery assistance needed?Which warranties are held? What do they mean in reality?

ApplicationsAre these location dependent?Are they accessible via the cloud? Can they be relocated ?

BackupsAutomatic frequent file saving?Mirrored or RAID server drives?Tape backup?Network Attached Storage (NAS) backup?Over-the-wire off-site backup?Over-the-wire mail archiving?Never-fail server replication?Are regular test restores carried out?Is a recent copy of data held off site?Where are security codes and passwords held?

InternetService provider has good reputation?ADSL or SDSL with Service Level Agreement (specified max downtime)?Second broadband line available?Wireless second service available - over-the-air or via USB data card/mobile stickAutomatic failover needed?Mail (MX) re-routing possible in event of line failure?Access to mail via mail forwarding or similar?

PowerIs the Uninterruptible Power Supply (UPS) adequate to shut down server safely?Is major equipment (servers, switches, routers, phone system) UPS-protected?

Redundant power supply for servers?If power fails, is building usable? Will doors function, can premises be locked or alarmed?Emergency lighting? Torches and spare keys to hand?Is the power supply stable and wiring in good condition (if in doubt check?)

PhoneSpare analogue landline phone for emergencies?What if the phone system dies? Is there a service contract? What does it cover?Do staff have colleagues’ mobile numbers?Can we contact key clients and suppliers?

Data and softwareDocument repositories, databases, accounts, CRM.Can they be set up elsewhere? Has this been tried?

ENVIRONMENT

Acts of GodHow exposed are we to flood, rain, rivers, lightning, overheating, or freezing? What steps can we take to reduce this?

Acts of ManHow vulnerable are we to spontaneous theft, burglary, sabotage, attack? Are systems physically secure: locked rooms, equipment chained to desk, security marked?Is there an adequate alarm system?Are we adequately protected against viruses, spam, spyware, malicious hacking?

Where do we go?What would we do if the office was not accessible? Remote working possible?What would we do if the office was not accessible and IT systems down? Hotmail from Starbucks? Share office with another organisation?Where could we source equipment? Have laptops? Rent? Buy?

If we need to claimIs there adequate insurance? What does it cover exactly?Do we have an inventory of all key equipment and software?Do we have photographic evidence of damage or lost items?

TEST & REHEARSEBusiness Continuity & DR plans have to be tested – People keeping the password to their emergency internet email system in their outlook systems & if outlook crashes !